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Abstract: Radio frequency identification (RFID) is poised to supplant the barcodes in the near future. 
Its information storage capacity as well as its ability to transfer information are superior 
barcodes. However, the user’s privacy invasion and system security threats are increasingly 
concerned by users. The implementation of security protocols in RFID is challenging as they 
are highly resource constrained and unable to perform strong from cryptography. Recently 
several authentication protocols have been proposed to prevent unauthorized tracking, im- 
personation and cloning etc. In this paper, a new efficient mutual authentication protocol 
is proposed to offer an adequate security level for certain applications, as tag in this pro- 
tocol only has hash function and exclusive-or operation while reader or server takes on the 
most calculations including the generation of the random number and the computing of 
the encryption/decryption. Compared with other protocols, the protocol presented here 
achieves in resisting privacy leakage, spoofing and replaying attack etc, and is feasible to 
the low-cost, limited computation RFID system. 
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1 Introduction 


RFID! is currently considered as a substitution for an optical bar code system in the near 
future. There are three key elements within a RFID system: RFID tag, or transponder, to carry 
object-identifying data; RFID reader, or transceiver], to read and write tag data; Back-end 
server, or database, to associate records with tag data collected by readers. 

However, before pervasive deployment with RFIDs, several security risks and potential pri- 
vacy problems should be resolved. Because the communication channel is insecure and the 
implementation of well-known cryptographic algorithms remains difficult due to the restricted 
computational power. Simply eavesdropping the messages transmitted between the reader and 
the tag, the attacker can obtain the unique information of the tag, and also can track tag 


without any authorization. 
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2 Background and related work 


Weis et all proposed Hash-lock protocol and the randomized hash-lock protocol. Although 
the Hash-lock scheme offers good reliability at low cost, an adversary can easily track the tag via 
its metaID. While the randomized hash-lock scheme can deter tracking, it allows the location 
history of the tag to be traced if the secret information is revealed. 

Ohkubo et all] used a low cost hash-chain mechanism to defeat the tracing problem. Al- 
though this scheme uses two different one-way hash functions, an attacker can still query the 
tag then replay the tag’s response to authenticate itself to a valid reader. 

Vajda et all proposed a set of lightweight security protocols. However, these protocols rely 
on the existence of a shared secret which makes it problematic for the reader to determine what 
secret corresponds to what tag. Moreover, they do not address the problem of reader-to-tag 
authentication and no attempt is made to prevent from tracking of the tags. 

Henrici et all® proposed the hash-based ID variation protocol in which the ID of the tag 
varies in each session. However, the attacker could still track the tag with the fixed hashed ID. 


3 Our proposed protocol 


Before describing our protocol in detail, we give the definition of the notations as summarized 
in Table 1 and assume that all of the one-way hash functions are the same in Figure 1. 


Table 1: Notations 













Notation Interpretation 








One-way hash function 


Ex( ) Symmetric-key encryption function with the key k 
Dz( ) Symmetric-key decryption function with the key k 
RNG Random number generation 

K Shared random secret between T and B 

T Pseudo-random number generated by RNG 

D A database of back-end server 

ID The static tag-identification number 


All application related data of T 


Step 1 R generates a fresh random nonce, r, with the RNG, and randomizes it with the 
one-way hash function, S = h(r). R sends S to the queried T. S is used to authenticate the 
validity of R. With S, the man-in-the-middle attack is prevented against an active attacker. 

Step 2 When queried, T sends M and N to R. M is to verify the legitimate R, and prevent 
the forgery from the passive eavesdropping. 

Step 3 R simply forwards M, N, S and r to B. At first, B verifies whether the forwarded 
r is valid or not by comparing S with h(r). The man-in-the-middle attack by the illegitimate 
R and a passive eavesdropper can be prevented. If R is valid, for each tuple (ID, K) in D, B 
verifies that M @ K equals h(ID||h(r)) and N equals h(M @h(r)). If no tuple is found, the 
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tag is rejected. Similarly, the replay attack can be also detected and prevented. If B successfully 
finishes the authentication process, B generates C. 

Step 4 B encrypts the corresponding DATA using the key k, then replies C and Ep (DATA). 
Thus, DATA of T is securely obtained only by the legitimate R. Then, B makes its shared key, 
K, randomized simply by Xoring with C. 

Step 5 R forwards C to T. T verifies the forwarded C, calculates A(K) and compares it 
with C. If matched, the mutual authentication is finally succeeded, and T, updates the shared 
secret K. Otherwise, T will not updates it in a case the replay attack to T occurs. 











B (Back-end server) R (RFID reader) T (RFID tag) 
ŒE), hO, ©) (D: O, RNG, h()) hO, @) 
K rS=h() K 
Query with S 
1) Challenge M=h(DIS) K 
N=h(M®S) 
M,N, S,r M,N 
Verify S = h (r)? + 3) R-B Response by) T-R Response 
Then 
Retrieve (ID, K) from D 
Verify 
M®K=h(DIS)? 
N=h(M®S)? 
Then 
C=h(K) C, E, (DATA) Cc 
4) B-R reply 3) R-Treply > | verify C=h(K)? 
Then 
K=K @C K=K C 





Figure 1: Our Proposed Protocol 


4 Security analysis 


The user’s privacy mainly means the location information or the tag information of the 
owner. In our scheme the tag does not store user’s privacy information, and the tag ID is 
hidden in the message M, so that data confidentiality is guaranteed. Tag never directly emits 
the ID in a plaintext form. In each session, the tag sends out a different bit string because of 
nonce r. It is infeasible for malicious parties to use a compatible reader to track the tag holder. 
Therefore, tag anonymity is guaranteed. Based on the mutual authentication, our protocol 
guarantees the data integrity between T and B. 

As mentioned above, a forgery or replay attack is not possible because our proposal is based 
on a mutual authentication and the random nonce r as well as key K is updated for each session. 
Attackers have no idea of which operations have been used and therefore the simple copy of 
information of the tag by eavesdropping is also not possible. Table 2 shows the comparison 
with some existing protocols. 
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Table 2: Comparison (Y means satisfied, N means not) 


Anonymity Data Mutual Resist to Forgery 
Integrity | Authentication | Replay Attack | Resistence 



















Privacy 






Weis et al N 
Ohkubo et al Y 
Vajda et al N 
Henrici et al N 
our scheme Y 


5 Conclusions 


In this paper, we have proposed a lightweight authentication protocol for low-cost RFID tags. 
Our scheme achieves the data security criterion, the privacy requirements of tag anonymity and 
intractability, and the low-cost implementation requirement. From the analysis of the proposed 
protocol, we conclude that it is completely feasible in a low-cost RFID environment. 
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A E CAAA (RFID) HVAERANHRRRABGAS, Cite BME Refit A 
ROMA EARS. Ril, HRA PR RBMARARARRE RM - BRA A mE 
HMM. ATFHRANAMSR, UR M eA, ALF RFID RAR ZEHNTE 
DRAWER. Ah, HRTSVIEDN RBM UP ILKARA NER. WR. RA. Res. 
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